Unrated severityNVD Advisory· Published Nov 26, 2010· Updated Apr 29, 2026

CVE-2010-3830

Description

A local user can gain privileges by sending specially crafted network packets that trigger an invalid pointer dereference in iOS packet filter processing before version 4.2.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A local user can gain privileges by sending specially crafted network packets that trigger an invalid pointer dereference in iOS packet filter processing before version 4.2.

Vulnerability

Apple iOS before version 4.2 contains a use-after-free or invalid pointer dereference in the networking subsystem during the processing of packet filter rules ([1]). The bug affects iOS 4.1 and earlier on iPhone 3G and later, iPod touch (2nd generation) and later, and iPad running iOS 3.2 through 3.2.2 ([1]). The code path is reachable when a local user (or process) triggers evaluation of crafted filter rules via unspecified vectors.

Exploitation

An attacker must have local access to the device, either through a user-installed application or by physical possession. The exploit sequence involves sending specially crafted network packets that cause the system to follow an invalid pointer while processing packet filter rules. No user interaction beyond launching the malicious process is required; the attack proceeds when the device's networking stack handles the attacker's input.

Impact

Successful exploitation allows a local attacker to gain elevated privileges on the device. The exact privilege level is not disclosed, but the CVE description states the attacker can 'gain privileges' ([1]), implying escalation beyond the sandboxed application level, potentially leading to arbitrary code execution with system privileges.

Mitigation

Apple released iOS 4.2 on November 22, 2010, which addresses this vulnerability ([1]). Users should update their devices to iOS 4.2 or later via iTunes. No workarounds are available for vulnerable versions. The issue is not listed on CISA's Known Exploited Vulnerabilities catalog as of the publication date.

References

About the security content of iOS 4.2 - Apple Support

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Apple Inc./Iphone OS29 versions
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*+ 28 more
- cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*range: <=4.1
- cpe:2.3:o:apple:iphone_os:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:1.0.2:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:1.1.0:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:1.1.1:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:1.1.2:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:1.1.3:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:1.1.4:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:1.1.5:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:2.0:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:2.0.2:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:2.1:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:2.1.1:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:2.2:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:2.2.1:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:3.0:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:3.0.1:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:3.1:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:3.1.2:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:3.1.3:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:3.2:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:3.2.1:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:3.2.2:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:4.0:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:4.0.2:*:*:*:*:*:*:*
Apple Inc./iOSllm-fuzzy
Range: <4.2

Patches

No patches discovered yet.

Vulnerability mechanics

Root cause

"Improper initialization of the overload_tbl field in the DIOCADDRULE ioctl handler leads to an arbitrary decrement in kernel memory when processing DIOCCHANGERULE."

Attack vector

A local attacker can exploit this vulnerability by sending specially crafted ioctl calls to the packet filter device. By manipulating the `overload_tbl` field within a `pfioc_rule` structure during a `DIOCADDRULE` operation, an attacker can cause the `pfr_detach_table` function to decrement an arbitrary kernel memory location when the rule is later removed via `DIOCCHANGERULE` [ref_id=1]. This arbitrary decrement is used to corrupt kernel memory, such as overwriting a system call handler, to gain elevated privileges.

Affected code

The vulnerability lies within the `pfioctl` function in `bsd/net/pf_ioctl.c`. Specifically, the `DIOCADDRULE` case improperly handles the initialization of the `rule->overload_tbl` pointer when `rule->overload_tblname` is empty. This leads to an invalid pointer being used in `pfr_detach_table` within `bsd/net/pf_table.c` when `DIOCCHANGERULE` is called to remove the rule.

What the fix does

The patch is not explicitly provided in the bundle. However, the advisory indicates that Apple iOS before 4.2 is affected. The vulnerability is addressed in iOS 4.2. Users should update to a non-vulnerable version of the operating system to mitigate this risk.

Preconditions

inputThe attacker must have local access to the affected device.
inputThe attacker must be able to execute code on the device to send crafted ioctl calls.

Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

lists.apple.com/archives/security-announce/2010//Nov/msg00003.htmlnvdVendor Advisory
support.apple.com/kb/HT4456nvdVendor Advisory
secunia.com/advisories/42314nvd
www.securitytracker.com/idnvd
www.vupen.com/english/advisories/2010/3046nvd
exchange.xforce.ibmcloud.com/vulnerabilities/63419nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000